<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="utf-8" />
    
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
  <title>
    CORS原理详解 |  虎虎生辉
  </title>
  
  <link rel="shortcut icon" href="/blog/favicon.ico" />
  
  
<link rel="stylesheet" href="/blog/css/style.css">

  
<script src="/blog/js/pace.min.js"></script>


  

  

<meta name="generator" content="Hexo 6.0.0"></head>

</html>

<body>
  <div id="app">
    <main class="content">
      <section class="outer">
  <article id="post-CORSa" class="article article-type-post" itemscope
  itemprop="blogPost" data-scroll-reveal>

  <div class="article-inner">
    
    <header class="article-header">
       
<h1 class="article-title sea-center" style="border-left:0" itemprop="name">
  CORS原理详解
</h1>
  

    </header>
    

    
    <div class="article-meta">
      <a href="/blog/2019/05/01/CORSa/" class="article-date">
  <time datetime="2019-05-01T08:25:57.000Z" itemprop="datePublished">2019-05-01</time>
</a>
      
    </div>
    

    
    
    <div class="tocbot"></div>





    

    <div class="article-entry" itemprop="articleBody">
      


      

      
      <blockquote>
<p>阅读本文，你需要首先知道：</p>
<ol>
<li>浏览器的同源策略</li>
<li>跨域问题</li>
<li>JSONP原理</li>
<li>cookie原理</li>
</ol>
</blockquote>
<p>JSONP并不是一个好的跨域解决方案，它至少有着下面两个严重问题：</p>
<ol>
<li><strong>会打乱服务器的消息格式</strong>：JSONP要求服务器响应一段JS代码，但在非跨域的情况下，服务器又需要响应一个正常的JSON格式</li>
<li><strong>只能完成GET请求</strong>：JSONP的原理会要求浏览器端生成一个<code>script</code>元素，而<code>script</code>元素发出的请求只能是<code>get</code>请求</li>
</ol>
<p>所以，CORS是一种更好的跨域解决方案。</p>
<h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h1><p><code>CORS</code>是基于<code>http1.1</code>的一种跨域解决方案，它的全称是<strong>C</strong>ross-<strong>O</strong>rigin <strong>R</strong>esource <strong>S</strong>haring，跨域资源共享。</p>
<p>它的总体思路是：<strong>如果浏览器要跨域访问服务器的资源，需要获得服务器的允许</strong></p>
<p><img src="http://mdrs.yuanjin.tech/img/image-20200421152122793.png" alt="image-20200421152122793"></p>
<p>而要知道，一个请求可以附带很多信息，从而会对服务器造成不同程度的影响</p>
<p>比如有的请求只是获取一些新闻，有的请求会改动服务器的数据</p>
<p>针对不同的请求，CORS规定了三种不同的交互模式，分别是：</p>
<ul>
<li><strong>简单请求</strong></li>
<li><strong>需要预检的请求</strong></li>
<li><strong>附带身份凭证的请求</strong></li>
</ul>
<p>这三种模式从上到下层层递进，请求可以做的事越来越多，要求也越来越严格。</p>
<p>下面分别说明三种请求模式的具体规范。</p>
<h1 id="简单请求"><a href="#简单请求" class="headerlink" title="简单请求"></a>简单请求</h1><p>当浏览器端运行了一段ajax代码（无论是使用XMLHttpRequest还是fetch api），浏览器会首先判断它属于哪一种请求模式</p>
<h2 id="简单请求的判定"><a href="#简单请求的判定" class="headerlink" title="简单请求的判定"></a>简单请求的判定</h2><p>当请求<strong>同时满足</strong>以下条件时，浏览器会认为它是一个简单请求：</p>
<ol>
<li><p><strong>请求方法属于下面的一种：</strong></p>
<ul>
<li>get</li>
<li>post</li>
<li>head</li>
</ul>
</li>
<li><p><strong>请求头仅包含安全的字段，常见的安全字段如下：</strong></p>
<ul>
<li><code>Accept</code></li>
<li><code>Accept-Language</code></li>
<li><code>Content-Language</code></li>
<li><code>Content-Type</code></li>
<li><code>DPR</code></li>
<li><code>Downlink</code></li>
<li><code>Save-Data</code></li>
<li><code>Viewport-Width</code></li>
<li><code>Width</code></li>
</ul>
</li>
<li><p><strong>请求头如果包含<code>Content-Type</code>，仅限下面的值之一：</strong></p>
<ul>
<li><code>text/plain</code></li>
<li><code>multipart/form-data</code></li>
<li><code>application/x-www-form-urlencoded</code></li>
</ul>
</li>
</ol>
<p>如果以上三个条件同时满足，浏览器判定为简单请求。</p>
<p>下面是一些例子：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 简单请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/news&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">// 请求方法不满足要求，不是简单请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/news&quot;</span>, &#123;</span><br><span class="line">  <span class="attr">method</span>:<span class="string">&quot;PUT&quot;</span></span><br><span class="line">&#125;)</span><br><span class="line"></span><br><span class="line"><span class="comment">// 加入了额外的请求头，不是简单请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/news&quot;</span>, &#123;</span><br><span class="line">  <span class="attr">headers</span>:&#123;</span><br><span class="line">    <span class="attr">a</span>: <span class="number">1</span></span><br><span class="line">  &#125;</span><br><span class="line">&#125;)</span><br><span class="line"></span><br><span class="line"><span class="comment">// 简单请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/news&quot;</span>, &#123;</span><br><span class="line">  <span class="attr">method</span>: <span class="string">&quot;post&quot;</span></span><br><span class="line">&#125;)</span><br><span class="line"></span><br><span class="line"><span class="comment">// content-type不满足要求，不是简单请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/news&quot;</span>, &#123;</span><br><span class="line">  <span class="attr">method</span>: <span class="string">&quot;post&quot;</span>,</span><br><span class="line">  <span class="attr">headers</span>: &#123;</span><br><span class="line">    <span class="string">&quot;content-type&quot;</span>: <span class="string">&quot;application/json&quot;</span></span><br><span class="line">  &#125;</span><br><span class="line">&#125;)</span><br></pre></td></tr></table></figure>

<h2 id="简单请求的交互规范"><a href="#简单请求的交互规范" class="headerlink" title="简单请求的交互规范"></a>简单请求的交互规范</h2><p>当浏览器判定某个<strong>ajax跨域请求</strong>是<strong>简单请求</strong>时，会发生以下的事情</p>
<ol>
<li><strong>请求头中会自动添加<code>Origin</code>字段</strong></li>
</ol>
<p>比如，在页面<code>http://my.com/index.html</code>中有以下代码造成了跨域</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 简单请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/news&quot;</span>);</span><br></pre></td></tr></table></figure>

<p>请求发出后，请求头会是下面的格式：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">GET /api/news/ HTTP/1.1</span><br><span class="line">Host: crossdomain.com</span><br><span class="line">Connection: keep-alive</span><br><span class="line">...</span><br><span class="line">Referer: http://my.com/index.html</span><br><span class="line">Origin: http://my.com</span><br></pre></td></tr></table></figure>

<p>看到最后一行没，<code>Origin</code>字段会告诉服务器，是哪个源地址在跨域请求</p>
<ol start="2">
<li><strong>服务器响应头中应包含<code>Access-Control-Allow-Origin</code></strong></li>
</ol>
<p>当服务器收到请求后，如果允许该请求跨域访问，需要在响应头中添加<code>Access-Control-Allow-Origin</code>字段</p>
<p>该字段的值可以是：</p>
<ul>
<li>*：表示我很开放，什么人我都允许访问</li>
<li>具体的源：比如<code>http://my.com</code>，表示我就允许你访问</li>
</ul>
<blockquote>
<p>实际上，这两个值对于客户端<code>http://my.com</code>而言，都一样，因为客户端才不会管其他源服务器允不允许，就关心自己是否被允许</p>
<p>当然，服务器也可以维护一个可被允许的源列表，如果请求的<code>Origin</code>命中该列表，才响应<code>*</code>或具体的源</p>
<p><strong>为了避免后续的麻烦，强烈推荐响应具体的源</strong></p>
</blockquote>
<p>假设服务器做出了以下的响应：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">HTTP/1.1 200 OK</span><br><span class="line">Date: Tue, 21 Apr 2020 08:03:35 GMT</span><br><span class="line">...</span><br><span class="line">Access-Control-Allow-Origin: http://my.com</span><br><span class="line">...</span><br><span class="line"></span><br><span class="line">消息体中的数据</span><br></pre></td></tr></table></figure>

<p>当浏览器看到服务器允许自己访问后，高兴的像一个两百斤的孩子，于是，它就把响应顺利的交给js，以完成后续的操作</p>
<p>下图简述了整个交互过程</p>
<p><img src="http://mdrs.yuanjin.tech/img/image-20200421162846480.png" alt="image-20200421162846480"></p>
<h1 id="需要预检的请求"><a href="#需要预检的请求" class="headerlink" title="需要预检的请求"></a>需要预检的请求</h1><p>简单的请求对服务器的威胁不大，所以允许使用上述的简单交互即可完成。</p>
<p>但是，如果浏览器不认为这是一种简单请求，就会按照下面的流程进行：</p>
<ol>
<li><strong>浏览器发送预检请求，询问服务器是否允许</strong></li>
<li><strong>服务器允许</strong></li>
<li><strong>浏览器发送真实请求</strong></li>
<li><strong>服务器完成真实的响应</strong></li>
</ol>
<p>比如，在页面<code>http://my.com/index.html</code>中有以下代码造成了跨域</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 需要预检的请求</span></span><br><span class="line">fetch(<span class="string">&quot;http://crossdomain.com/api/user&quot;</span>, &#123;</span><br><span class="line">  <span class="attr">method</span>:<span class="string">&quot;POST&quot;</span>, <span class="comment">// post 请求</span></span><br><span class="line">  <span class="attr">headers</span>:&#123;  <span class="comment">// 设置请求头</span></span><br><span class="line">    <span class="attr">a</span>: <span class="number">1</span>,</span><br><span class="line">    <span class="attr">b</span>: <span class="number">2</span>,</span><br><span class="line">    <span class="string">&quot;content-type&quot;</span>: <span class="string">&quot;application/json&quot;</span></span><br><span class="line">  &#125;,</span><br><span class="line">  <span class="attr">body</span>: <span class="built_in">JSON</span>.stringify(&#123; <span class="attr">name</span>: <span class="string">&quot;袁小进&quot;</span>, <span class="attr">age</span>: <span class="number">18</span> &#125;) <span class="comment">// 设置请求体</span></span><br><span class="line">&#125;);</span><br></pre></td></tr></table></figure>

<p>浏览器发现它不是一个简单请求，则会按照下面的流程与服务器交互</p>
<ol>
<li><strong>浏览器发送预检请求，询问服务器是否允许</strong></li>
</ol>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">OPTIONS /api/user HTTP/1.1</span><br><span class="line">Host: crossdomain.com</span><br><span class="line">...</span><br><span class="line">Origin: http://my.com</span><br><span class="line">Access-Control-Request-Method: POST</span><br><span class="line">Access-Control-Request-Headers: a, b, content-type</span><br></pre></td></tr></table></figure>

<p>可以看出，这并非我们想要发出的真实请求，请求中不包含我们的响应头，也没有消息体。</p>
<p>这是一个预检请求，它的目的是询问服务器，是否允许后续的真实请求。</p>
<p>预检请求<strong>没有请求体</strong>，它包含了后续真实请求要做的事情</p>
<p>预检请求有以下特征：</p>
<ul>
<li>请求方法为<code>OPTIONS</code></li>
<li>没有请求体</li>
<li>请求头中包含<ul>
<li><code>Origin</code>：请求的源，和简单请求的含义一致</li>
<li><code>Access-Control-Request-Method</code>：后续的真实请求将使用的请求方法</li>
<li><code>Access-Control-Request-Headers</code>：后续的真实请求会改动的请求头</li>
</ul>
</li>
</ul>
<ol start="2">
<li><strong>服务器允许</strong></li>
</ol>
<p>服务器收到预检请求后，可以检查预检请求中包含的信息，如果允许这样的请求，需要响应下面的消息格式</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">HTTP/1.1 200 OK</span><br><span class="line">Date: Tue, 21 Apr 2020 08:03:35 GMT</span><br><span class="line">...</span><br><span class="line">Access-Control-Allow-Origin: http://my.com</span><br><span class="line">Access-Control-Allow-Methods: POST</span><br><span class="line">Access-Control-Allow-Headers: a, b, content-type</span><br><span class="line">Access-Control-Max-Age: 86400</span><br><span class="line">...</span><br></pre></td></tr></table></figure>

<p>对于预检请求，不需要响应任何的消息体，只需要在响应头中添加：</p>
<ul>
<li><code>Access-Control-Allow-Origin</code>：和简单请求一样，表示允许的源</li>
<li><code>Access-Control-Allow-Methods</code>：表示允许的后续真实的请求方法</li>
<li><code>Access-Control-Allow-Headers</code>：表示允许改动的请求头</li>
<li><code>Access-Control-Max-Age</code>：告诉浏览器，多少秒内，对于同样的请求源、方法、头，都不需要再发送预检请求了</li>
</ul>
<ol start="3">
<li><strong>浏览器发送真实请求</strong></li>
</ol>
<p>预检被服务器允许后，浏览器就会发送真实请求了，上面的代码会发生下面的请求数据</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">POST /api/user HTTP/1.1</span><br><span class="line">Host: crossdomain.com</span><br><span class="line">Connection: keep-alive</span><br><span class="line">...</span><br><span class="line">Referer: http://my.com/index.html</span><br><span class="line">Origin: http://my.com</span><br><span class="line"></span><br><span class="line">&#123;&quot;name&quot;: &quot;袁小进&quot;, &quot;age&quot;: 18 &#125;</span><br></pre></td></tr></table></figure>

<ol start="4">
<li><strong>服务器响应真实请求</strong></li>
</ol>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">HTTP/1.1 200 OK</span><br><span class="line">Date: Tue, 21 Apr 2020 08:03:35 GMT</span><br><span class="line">...</span><br><span class="line">Access-Control-Allow-Origin: http://my.com</span><br><span class="line">...</span><br><span class="line"></span><br><span class="line">添加用户成功</span><br></pre></td></tr></table></figure>



<p>可以看出，当完成预检之后，后续的处理与简单请求相同</p>
<p>下图简述了整个交互过程</p>
<p><img src="http://mdrs.yuanjin.tech/img/image-20200421165913320.png" alt="image-20200421165913320"></p>
<h1 id="附带身份凭证的请求"><a href="#附带身份凭证的请求" class="headerlink" title="附带身份凭证的请求"></a>附带身份凭证的请求</h1><p>默认情况下，ajax的跨域请求并不会附带cookie，这样一来，某些需要权限的操作就无法进行</p>
<p>不过可以通过简单的配置就可以实现附带cookie</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// xhr</span></span><br><span class="line"><span class="keyword">var</span> xhr = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line">xhr.withCredentials = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"><span class="comment">// fetch api</span></span><br><span class="line">fetch(url, &#123;</span><br><span class="line">  <span class="attr">credentials</span>: <span class="string">&quot;include&quot;</span></span><br><span class="line">&#125;)</span><br></pre></td></tr></table></figure>

<p>这样一来，该跨域的ajax请求就是一个<em>附带身份凭证的请求</em></p>
<p>当一个请求需要附带cookie时，无论它是简单请求，还是预检请求，都会在请求头中添加<code>cookie</code>字段</p>
<p>而服务器响应时，需要明确告知客户端：服务器允许这样的凭据</p>
<p>告知的方式也非常的简单，只需要在响应头中添加：<code>Access-Control-Allow-Credentials: true</code>即可</p>
<p>对于一个附带身份凭证的请求，若服务器没有明确告知，浏览器仍然视为跨域被拒绝。</p>
<p>另外要特别注意的是：**对于附带身份凭证的请求，服务器不得设置 <code>Access-Control-Allow-Origin 的值为*</code>*<em>。这就是为什么不推荐使用</em>的原因</p>
<h1 id="一个额外的补充"><a href="#一个额外的补充" class="headerlink" title="一个额外的补充"></a>一个额外的补充</h1><p>在跨域访问时，JS只能拿到一些最基本的响应头，如：Cache-Control、Content-Language、Content-Type、Expires、Last-Modified、Pragma，如果要访问其他头，则需要服务器设置本响应头。</p>
<p><code>Access-Control-Expose-Headers</code>头让服务器把允许浏览器访问的头放入白名单，例如：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Access-Control-Expose-Headers: authorization, a, b</span><br></pre></td></tr></table></figure>

<p>这样JS就能够访问指定的响应头了。</p>

      
      <!-- 打赏 -->
      
        <div id="reward-btn">
          打赏
        </div>
        
    </div>
    <footer class="article-footer">
      <a data-url="https://gitee.com/huafu123/blog/2019/05/01/CORSa/" data-id="ckya9fc0p0001ygf64qcv2gd5"
        class="article-share-link">分享</a>
      
  <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/blog/tags/cors/" rel="tag">cors</a></li></ul>

    </footer>

  </div>

  
  
  <nav class="article-nav">
    
    
      <a href="/blog/2019/04/01/Cookiea/" class="article-nav-link">
        <strong class="article-nav-caption">下一篇</strong>
        <div class="article-nav-title">cookie的基本概念</div>
      </a>
    
  </nav>


  

  
  
<!-- valine评论 -->
<div id="vcomments-box">
    <div id="vcomments">
    </div>
</div>
<script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
<script src='https://cdn.jsdelivr.net/npm/valine@1.3.10/dist/Valine.min.js'></script>
<script>
    new Valine({
        el: '#vcomments',
        notify: false,
        verify: false,
        app_id: '',
        app_key: '',
        path: window.location.pathname,
        avatar: 'mp',
        placeholder: '给我的文章加点评论吧~',
        recordIP: true
    });
    const infoEle = document.querySelector('#vcomments .info');
    if (infoEle && infoEle.childNodes && infoEle.childNodes.length > 0) {
        infoEle.childNodes.forEach(function (item) {
            item.parentNode.removeChild(item);
        });
    }
</script>
<style>
    #vcomments-box {
        padding: 5px 30px;
    }

    @media screen and (max-width: 800px) {
        #vcomments-box {
            padding: 5px 0px;
        }
    }

    #vcomments-box #vcomments {
        background-color: #fff;
    }

    .v .vlist .vcard .vh {
        padding-right: 20px;
    }

    .v .vlist .vcard {
        padding-left: 10px;
    }
</style>

  

  
  
  

</article>
</section>
      <footer class="footer">
  <div class="outer">
    <ul class="list-inline">
      <li>
        &copy;
        2020-2022
        Huafu Li
      </li>
      <li>
        
          Powered by
        
        
        <a href="https://hexo.io" target="_blank">Hexo</a> Theme <a href="https://github.com/Shen-Yu/hexo-theme-ayer" target="_blank">Ayer</a>
        
      </li>
    </ul>
    <ul class="list-inline">
      <li>
        
        
        <ul class="list-inline">
  <li>PV:<span id="busuanzi_value_page_pv"></span></li>
  <li>UV:<span id="busuanzi_value_site_uv"></span></li>
</ul>
        
      </li>
      <li>
        <!-- cnzz统计 -->
        
        <script type="text/javascript" src='https://s9.cnzz.com/z_stat.php?id=1278069914&amp;web_id=1278069914'></script>
        
      </li>
    </ul>
  </div>
</footer>
    <div class="to_top">
        <div class="totop" id="totop">
  <i class="ri-arrow-up-line"></i>
</div>
      </div>
    </main>
    
    <aside class="sidebar">
      
        <button class="navbar-toggle"></button>
<nav class="navbar">
  
  <div class="logo">
    <a href="/blog/"><img src="/blog/hu.png" alt="虎虎生辉"></a>
  </div>
  
  <ul class="nav nav-main">
    
    <li class="nav-item">
      <a class="nav-item-link" href="/blog/">主页</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/blog/archives">目录</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/blog/about">关于</a>
    </li>
    
    <li class="nav-item">
      <a class="nav-item-link" href="/blog/pictures">相册</a>
    </li>
    
  </ul>
</nav>
<nav class="navbar navbar-bottom">
  <ul class="nav">
    <li class="nav-item">
      
      <a class="nav-item-link nav-item-search"  title="Search">
        <i class="ri-search-line"></i>
      </a>
      
      
      <a class="nav-item-link" target="_blank" href="/blog/atom.xml" title="RSS Feed">
        <i class="ri-rss-line"></i>
      </a>
      
    </li>
  </ul>
</nav>
<div class="search-form-wrap">
  <div class="local-search local-search-plugin">
  <input type="search" id="local-search-input" class="local-search-input" placeholder="Search...">
  <div id="local-search-result" class="local-search-result"></div>
</div>
</div>
      </aside>
      <div id="mask"></div>

<!-- #reward -->
<div id="reward">
  <span class="close"><i class="ri-close-line"></i></span>
  <p class="reward-p"><i class="ri-cup-line"></i>请我喝杯咖啡吧~</p>
  <div class="reward-box">
    
    <div class="reward-item">
      <img class="reward-img" src="/blog/./images/alipay.png">
      <span class="reward-type">支付宝</span>
    </div>
    
    
    <div class="reward-item">
      <img class="reward-img" src="/blog/./images/wechat.png">
      <span class="reward-type">微信</span>
    </div>
    
  </div>
</div>
      
<script src="/blog/js/jquery-2.0.3.min.js"></script>


<script src="/blog/js/jquery.justifiedGallery.min.js"></script>


<script src="/blog/js/lazyload.min.js"></script>


<script src="/blog/js/busuanzi-2.3.pure.min.js"></script>


  
<script src="/blog/fancybox/jquery.fancybox.min.js"></script>




  
<script src="/blog/js/tocbot.min.js"></script>

  <script>
    // Tocbot_v4.7.0  http://tscanlin.github.io/tocbot/
    tocbot.init({
      tocSelector: '.tocbot',
      contentSelector: '.article-entry',
      headingSelector: 'h1, h2, h3, h4, h5, h6',
      hasInnerContainers: true,
      scrollSmooth: true,
      positionFixedSelector: '.tocbot',
      positionFixedClass: 'is-position-fixed',
      fixedSidebarOffset: 'auto',
			onClick: (e) => {
      	document.getElementById(e.target.innerText).scrollIntoView()
      	return false;
    	}
    });
  </script>


<script>
  var ayerConfig = {
    mathjax: false
  }
</script>


<script src="/blog/js/ayer.js"></script>


<script src="https://cdn.jsdelivr.net/npm/jquery-modal@0.9.2/jquery.modal.min.js"></script>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/jquery-modal@0.9.2/jquery.modal.min.css">



<script type="text/javascript" src="https://js.users.51.la/20544303.js"></script>
  
  

  </div>
</body>

</html>